New #ransomware post!

Victim: GC Dental
Group: spacebears
Discovered: 2026-02-04 04:10:52.903515

New post from #Space Bears : Gc Dental
More at : https://www.ransomlook.io/group/Space%20Bears #Ransomware

New post from #Shinyhunters : University Of Pennsylvania
More at : https://www.ransomlook.io/group/Shinyhunters #Ransomware

New post from #Shinyhunters : Harvard University
More at : https://www.ransomlook.io/group/Shinyhunters #Ransomware

🚨New ransom group blog post!🚨

Group name: spacebears
Post title: GC Dental
Info: https://cti.fyi/groups/spacebears.html

#ransomware #cti #threatintelligence #cybersecurity #infosec

New #ransomware post!

Victim: Crystal Coast Pain Management
Group: devman
Discovered: 2026-02-04 01:24:21.009050

New post from #Devman2 : Crystal Coast Pain Management
More at : https://www.ransomlook.io/group/Devman2 #Ransomware

New #ransomware post!

Victim: peterboroughpublichealth.ca
Group: lynx
Discovered: 2026-02-03 21:23:19.745421

TL;DR La #ransomware gang #Medusa ha rivendicato un attacco ai server informatici del #Comune di #Battipaglia, con l’esfiltrazione di oltre 200.000 files.

@sicurezza

https://www.zerozone.it/cybersecurity/medusa-ha-colpito-il-comune-di-battipaglia/24298

Morning, cyber pros! ☕ It's been a busy 24 hours with several critical vulnerabilities under active exploitation, new insights into nation-state tradecraft, and some important shifts in government cyber policy. Let's dive in:

Actively Exploited Vulnerabilities & Reconnaissance ⚠️
- Russian APT28 (Fancy Bear) is actively exploiting a recently patched Microsoft Office zero-day (CVE-2026-21509) in attacks against Ukrainian government entities and other EU organisations. They're using themed malicious DOC files to install COVENANT malware, and sometimes MiniDoor or PixyNetLoader. Patching immediately is crucial; if not, implement registry-based mitigations.
- A critical RCE flaw (CVE-2025-11953) in React Native's Metro development server is under active exploitation, delivering Rust-based malware to Windows and Linux dev systems. Attackers are using the /open-url HTTP endpoint for arbitrary OS command execution, often disabling Microsoft Defender first. With ~3,500 exposed servers, developers should patch to version 20.0.0 or later immediately.
- CISA has flagged a critical SolarWinds Web Help Desk untrusted data deserialisation RCE flaw (CVE-2025-40551) as actively exploited, mandating federal agencies patch within three days. This allows unauthenticated attackers remote command execution. Admins should update to Web Help Desk 2026.1 without delay, as these products are frequent targets.
- A widespread reconnaissance campaign is targeting Citrix NetScaler infrastructure, using over 63,000 residential proxies to scan for login panels and enumerate product versions. This activity, observed between January 28 and February 2, suggests pre-exploitation mapping for known Citrix ADC weaknesses. Monitor for specific user agents, unusual access to /epa/scripts/win/nsepa_setup.exe, and outdated browser fingerprints.
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/russian-hackers-exploit-recently-patched-microsoft-office-bug-in-attacks/
🗞️ The Record | https://therecord.media/russian-state-hackers-exploit-new-microsoft-flaw
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/hackers-use-critical-react-native-metro-bug-to-breach-dev-systems/
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/02/03/critical_react_native_metro_server/
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/cisa-flags-critical-solarwinds-rce-flaw-as-actively-exploited/
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/wave-of-citrix-netscaler-scans-use-thousands-of-residential-proxies/

New Threat Research & Malware 🕵🏼
- Chinese state-linked APT group Lotus Blossom (aka Billbug) has been attributed with "moderate confidence" to the Notepad++ update hijacking. They exploited update infrastructure to deliver a new, sophisticated backdoor dubbed Chrysalis, using DLL sideloading, custom API hashing, and obfuscation.
- Users who downloaded suspicious Notepad++ updates between June and December 2025 should check for compromise and rotate credentials.
- A new GlassWorm malware campaign is targeting macOS systems via compromised OpenVSX extensions, stealing passwords, crypto-wallet data, and developer credentials. The threat actor compromised a legitimate developer's account to push malicious updates. Users of affected extensions should clean systems and rotate all secrets.
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/02/02/notepad_hijacking_lotus_blossom/
📰 The Hacker News | https://thehackernews.com/2026/02/notepad-hosting-breach-attributed-to.html
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/new-glassworm-attack-targets-macos-via-compromised-openvsx-extensions/

Recent Cyber Attacks & Breaches 🚨
- Data storage giant Iron Mountain has confirmed a breach claimed by the Everest extortion gang, but states it was mostly limited to marketing materials. Attackers used a single compromised credential to access one folder on a public-facing file-sharing server, with no ransomware deployed or other systems breached.
- Separately, a new phishing scheme is harvesting Dropbox logins using multi-stage obfuscation, with fake PDF lures hosted on legitimate cloud services. The campaign is notable for its lack of conventional malware, focusing purely on credential theft and bypassing email authentication checks.
- This highlights the importance of strong credential management and user awareness, as sophisticated social engineering can bypass technical controls.
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/iron-mountain-data-breach-mostly-limited-to-marketing-materials/
🚨 Dark Reading | https://www.darkreading.com/cloud-security/attackers-harvest-dropbox-logins-fake-pdf-lures

Regulatory Issues & Changes ⚖️
- The UK's Office of Financial Sanctions Implementation (OFSI) has opened its first investigation into suspected breaches of the country's cyber sanctions regime, involving up to five financial services firms. This follows expanded monitoring and investment in crypto investigation tools.
- This underscores increased scrutiny on compliance with sanctions against state-backed and financially motivated cyber actors, with potential civil penalties up to £1 million or 50% of the breach value.
- Microsoft Azure Storage has officially stopped supporting TLS 1.0 and 1.1, with TLS 1.2 now the minimum requirement, effective February 3, 2026. Organisations still relying on these deprecated, less secure protocols for legacy systems connecting to Azure Storage will no longer be able to connect.
🗞️ The Record | https://therecord.media/uk-investing-first-suspected-breach-cyber-sanctions
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/02/03/microsoft_tls_deprecations/

Government Cyber Policy & Staffing 🏛️
- The Trump administration's second term has seen CISA scale back its election security support, leading states to seek internal funding and resources. Cuts to CISA's budget and staff, combined with a lack of dedicated congressional funding, have left states feeling isolated.
- This shift necessitates states developing more self-reliant strategies for election cybersecurity, despite CISA's claims of continued support.
- National Cyber Director Sean Cairncross is advocating for reduced cybersecurity regulatory burdens on industry and increased cooperation, urging industry feedback on friction points. He also called for industry support to pass a 10-year extension of the Cybersecurity Information Sharing Act of 2015.
🤫 CyberScoop | https://cyberscoop.com/cisa-election-security-cutbacks-states-trump-administration/
🤫 CyberScoop | https://cyberscoop.com/sean-cairncross-industry-cut-cybersecurity-regulations-renew-cisa/

Everything Else 🌐
- The AI-powered personal assistant project OpenClaw (formerly Clawdbot/Moltbot) is being described as a "security dumpster fire" due to multiple high-impact vulnerabilities, including one-click RCE and command injection flaws. Hundreds of malicious "skills" have been found, some stealing cryptocurrency.
- Users are warned against running OpenClaw on their machines due to significant security risks and unexpectedly high API costs from inefficient operations.
- Polish authorities have arrested a 20-year-old man suspected of operating a multi-layered botnet to conduct DDoS attacks on "numerous popular websites," including those of strategic importance globally.
- Recent major cloud outages underscore the critical impact on identity systems, which act as "gatekeepers" for all modern applications and services. Traditional regional high availability is often insufficient, necessitating multi-cloud strategies or on-premises alternatives and graceful degradation planning for identity architectures.
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/02/03/openclaw_security_problems/
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/02/03/polish_cops_ddos_arrest/
📰 The Hacker News | https://thehackernews.com/2026/02/when-cloud-outages-ripple-across.html

#CyberSecurity #ThreatIntelligence #APT #Ransomware #Vulnerability #ZeroDay #RCE #SupplyChainAttack #Malware #InfoSec #IncidentResponse #CloudSecurity #ElectionSecurity #CyberPolicy #AI #DDoS

🚨New ransom group blog post!🚨

Group name: incransom
Post title: Western New York Energy
Info: https://cti.fyi/groups/incransom.html

#ransomware #cti #threatintelligence #cybersecurity #infosec

New post from #Worldleaks : Interplan
More at : https://www.ransomlook.io/group/Worldleaks #Ransomware

New post from #Lynx : Peterboroughpublichealth.Ca
More at : https://www.ransomlook.io/group/Lynx #Ransomware

New #ransomware post!

Victim: Interplan
Group: worldleaks
Discovered: 2026-02-03 20:16:42.707594

Tulane University Medical Group Data Breach

Tulane University Medical Group reported a data breach affecting 6,530 individuals following a ransomware attack claimed by the CL0P group. The breach targeted the organization's eClinicalWorks EHR systems, potentially exposing Social Security numbers and protected health information.

****
#cybersecurity #infosec #incident #ransomware
https://beyondmachines.net/event_details/tulane-university-medical-group-data-breach-7-a-r-e-o/gD2P6Ple2L

New post from #Inc Ransom : Western New York Energy
More at : https://www.ransomlook.io/group/Inc%20Ransom #Ransomware

New #ransomware post!

Victim: Western New York Energy
Group: incransom
Discovered: 2026-02-03 19:27:24.815278

Ransomware attack on the mining company http://pucobre.cl. In the samples, the attackers expose file samples such as forms, contract annexes, plaintext passwords, job interviews, and identity cards.

No one from the mining company has given a statement about this ransomware incident.

https://www.security-chu.com/2026/02/Empresa-minera-Punta-Cobre-afectado-con-ransomware.html

#Chile #ransomware #cyberattack #cybersecurity #cl #databreach #mining

🇺🇸 Qilin claims ransomware attack on USA's Medinah School District 11. Alleged data exfiltration but provided no samples to confirm the data. #Ransomware #Education #USA #ThreatIntel

New.

Picus: Is Babuk Back? Uncovering the Truth Behind Babuk Locker 2.0 https://www.picussecurity.com/resource/blog/is-babuk-back-babuk-locker-2-0-analysis #threatresearch #infosec #ransomware